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Designing a Calculational Proof of Cantor’s 

Theorem 

Edsger W. Dijkstra and Jayadev Misra 


Cantor’s Diagonalization The one purpose of this little Note is to show that formal 
arguments need not be lengthy at all; on the contrary, they are often the most compact 
rendering of the argument. Its other purpose is to show the strong heuristic guidance 
that is available to us when we design such calculational proofs in sufficiently small, 
explicit steps. We illustrate our approach on Georg Cantor’s classic diagonalization 
argument [chosen because, at the time, it created a sensation]. 

Cantor’s purpose was to show that any set S is strictly smaller than its powerset 
pS (i.e., the set of all subsets of S ). Because of the 1-1 correspondence between the 
elements of S and its singleton subsets, which are elements of pS, S is not larger 
than pS , and our proof can now be focussed on the “strictly”, i.e., we have to show 
that there is no 1-1 correspondence between S and pS. We can confine ourselves to 
non-empty S. 

1. PROOF FORMAT AND NOTATION. Eventually we present our proof in a for- 
mat, due to W.H.J. Feijen, in which consecutive proof stages are separated by a con- 
nective and a justification. Thus, 

P 

<7 

s [M] 
r 

would show a proof of p => r in which J justifies the conclusion q from p , while M 
explains why q and r are equivalent. In our proof we use = and <4=, the latter connective 
being the converse of =>, i.e., (p => q) = (q 4= p). 

In writing quantified formulae, we use the angle brackets, (), to delineate the scope 
of the dummy, and the double colon, to separate the dummy from the quantified 
term, as in (Vx :: p.x). Function application, as in the preceding “p.x”, is denoted 
explicitly by an infix dot. 

Besides “substituting equals for equals”, we use the Rule of Instantiation, viz., that 
for any expression y in the range of the dummy x 

(Vx :: p.x) => p.y. 
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Twice we use it in its contrapositive form 


{3x :: q.x) <£= q.y . 

In the context of the latter rule, expression y is often referred to as the witness for x. 
We write “x := y” in a justification to denote that x is to be instantiated by y. 

Type declarations consist of identifier and type (expression), separated by a colon. 
In what follows, x, Y, F, g are of the types 

x: S , 7: pS, F: S -> pS , g: pS — > 5, 

while the constants id: S S and ID : pS pS denote the identity functions on 
5 and pS respectively. When x or Y are used as dummies, the range of the quan- 
tification is understood to extend over all elements of their type. Examples of well- 
typed boolean expressions are: F.x = 7, g.Y = x, F.(g.Y) = Y, g.(F.x) = x, x e 
Y, g.Y € 7, x g F.x, g.Y € F.x, etc. 

2. THE DESIGN OF THE PROOF. We propose to prove the absence of a 1-1 cor- 
respondence between S and pS by showing that for any F, g of the appropriate types 

ID ^ Fog. (0) 

Remark We have already made a choice, since id ^ go F would have implied the 
absence of a 1-1 correspondence as well, but the trouble with the latter is that it is not a 
theorem, because F, g satisfying F.x = {x} and g.{x] = x provide a counterexample. 

Our proof displays a sequence of boolean expressions, starting with (0) and ending 
with true, such that each expression implies its predecessor in the sequence. To con- 
struct the successor of (0) we propose to apply the definition of function (in)equality 
and record that (0) is equivalent to 

(37 :: ID.Y ^ (Fog).F). (1) 

This wasn’t the only choice possible, since (p ^ q) 4= ( h.p ^ h.q) for any func- 
tion h, but the point is that, on our way from (0) to true, we must get rid of the constants 
ID and o, and we usually eliminate constants by appealing to their defining properties. 
Since both ID and o are defined in terms of function application, it stands to reason 
to apply both sides of (0) to some 7. Our remaining task is now to come up with a 
set- valued expression that can serve as a witness for 7. 

We now eliminate ID and o by applying their definitions, i.e., we record that (1) is 
equivalent to 


(37 :: 7 ^ F.(g.Y)), (2) 

and, doing justice to the fact that we are comparing subsets of S, we record that (2) is 
equivalent to 


(37 :: (3jc :: x € 7 # x e F.(g.Y))). (3) 

Remark The last two steps — elimination of ID, o and introduction of x — commute 
and could be done in the other order, but for the sake of brevity it is better to simplify 
first. 
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The inner existential quantification we have just introduced can be eliminated im- 
mediately by the instantiation x := g.Y and we record that (3) is implied by 

(3 Y::g.Y eY^g.YzF.(g.Y)). (4) 

This last implication depends on the monotonicity of existential quantification. This 
step was bold — it is our first strengthening in the sequence — and opportunistic: (i) we 
chose to instantiate x because at this stage we had no candidate witness for 7 , and 
(ii) for better or for worse, we instantiated with g.Y because we did not have much 
choice since g.Y is the only element of S we can identify (and that is known to exist). 
Via the same instantiation, x := g.Y, we can now eliminate g and record that — again 
thanks to monotonicity of 3 — (4) is implied by 

(3 Y :: (Vjc :: x € Y =x F.x)), (5) 

where we have moved the negation to the right-hand side. 

We could have performed the same transformation on (2), which would have yielded 

(37 :: (Vjc :: Y + F.x)), 

but this would not have helped in the construction of a witness for Y . With (5) we are 
in a much better position because thanks to set theory — which enables us to construct 
set- valued expressions — we can now rewrite (5) as the equivalent 

(37 :: 7 = {x\x i F.x}). (6) 

Now the instantiation 7 := {jc| x ^ F.x} stares us in the face and we accordingly 
record that (6) is implied by 


{x| x £ F.x} = {x| x £ F.x}, (7) 

which, because of the reflexivity of =, is equivalent to 

true . (8) 

3. A SUMMARY OF THE CALCULATION. We have included the heuristics in 
our argument for educational reasons. In a document written for another purpose one 
would omit them. By way of illustration we present the proof in Feijen’s format, with- 
out the heuristics and incorporating somewhat larger steps: 

ID ^ Fog 

= {definition of ID, o} 

(3 Y ::Y ^F.(g.Y)) 

<= {(p <= (h.p ^ h.q)} 

(37 :: g.Y € 7 ^ g.Y c F.(g.Y)) 

4= {instantiation x : = g . Y } 

(37 :: (Vx :: x e 7 = x $ F.x)) 

= {set theory: consider {x| x ^ F.x} as witness for 7} 
true 

This presents the calculation in a degree of detail with which we expect most math- 
ematicians to be perfectly happy most of the time. We did not mention in our hints the 
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monotonicity of 3 because we consider it part of the predicate calculus, which we feel 
free to use here without mention. We would like the reader to appreciate that we have 
combined (i) brevity, (ii) completeness — in the sense that the hints delineate where the 
justification is to be found — and (iii) the constructive path that leads to the “invention” 
[x\ x £ F.x}. 

Comments There are several reasons for liking the calculational proof style. It pro- 
vides heuristic guidance — as shown in our construction of the required set — and cal- 
culational proofs tend to be very compact and at the same time highly readable in the 
sense that they can be fully checked without pen and paper. More importantly, the 
design of calculational proofs is an art that seems eminently teachable. 


ACKNOWLEDGMENT. Credit for the format in which we presented our calculational proof is due to W.H . J. 
Feijen. This format turned out to be an essential ingredient. 
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For Every s There Continuously Exists a 6 

Giuseppe De Marco 


A recent paper in this Monthly [1] proves the 

Proposition. Let X , Y be metric spaces, and let f : X -> Y be a continuous map . 
There exists a continuous function 8 : lx]0, oo[-^]0, oo[ such that if \y — x\ < 
8(x , s ) then | f(y) — f(x)\ < 8, for every x, y € X and 8 > 0 (we write \x\ — xf\ for 
the distance between x\, X 2 , in any metric space considered ). 

The proof given in [1] makes use of partitions of unity; still in [1] it is stated (added 
in proof) that this proposition is also obtained in [3] as a consequence of general re- 
sults on multifunctions. Given the basic and pedagogical nature of the matter a really 
elementary and short proof of the Proposition is perhaps worth knowing; such a proof 
is reported both in [2] and in [3] and here is presented to the wider audience of the 
Monthly readership. It makes a nice exercise on product metric spaces. 

Proof To avoid trivialities, we assume that / is non-constant (for constant /, any 
strictly positive function 8 will do). The map (x, y, s) h-x 8 — \f(y) — f(x)\ from 
X x lx]0, oo[ into R is clearly continuous if X x lx]0, oo[ is given the product 
topology. It follows that the set 

A = {(*, y, s) e X x Xx]0, oo[: 8 - \f(y) - f(x)\ > 0} 

is open in X x lx]0, oo[; its complement F is then closed, and it is non-empty 
since / is non-constant. The function dist((x, y, s), F) (distance from F) is then 
well-defined, Lipschitz continuous on X x lx]0, oo[ (we take the box metric on this 
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